Western Digital NAS Units Come With Hard Coded Backdoor

Image: iStock

If you've got a Western Digital My Cloud, you'd best hit the software update button and install the latest firmware upgrade. Security researcher James Bercegay says over a dozen different models have a hard coded back door that lets anyone log in using a specific username/password combination.

According to the researcher, the following models are affected:

  • MyCloud
  • MyCloudMirror
  • My Cloud Gen 2
  • My Cloud PR2100
  • My Cloud PR4100
  • My Cloud EX2 Ultra
  • My Cloud EX2
  • My Cloud EX4
  • My Cloud EX2100
  • My Cloud EX4100
  • My Cloud DL2100
  • My Cloud DL4100

Full details on the vulnerability are published at Gulftech's website.

Bercegay says the issue arises because of "the misuse and misunderstanding of the PHP gethostbyaddr() function used within PHP, by the developer of this particular piece of code". As a result, anyone can log in as user mydlinkBRionyg using abc12345cba as their password. That user account has admin access to the device.

Dlink had the same problem and patched the vulnerability back in 2014 but it seems WD have let this slide for quite some time. Bercegay notified WD last June with the bug going public last week.


Comments

    With these (increasingly-frequent) stories I always wonder what's worse - the fact that such a bug shipped, or that even after being given 6 months' notice to react before the information goes public, the manufacturer chooses to do nothing about it.

      The problem is there's little sanction(s) for such carelessness, unless they're sued directly and it makes the news.

      A GDPR-like legislation targeted towards vendors producing code -
      software and firmware - needs to be enforced globally for accountability for lack of due diligence.

      If a product is under warranty or support, vendors ought to be vetting/auditing it's code per update or monthly - which ever comes first.

      Reports should articulate defined checks - not the code itself - which must be published for transparency.

      Those who fail to provide such audits ought to be banned from markets or have poor product ratings, affecting their sales.

      In a perfect world... it works take the European Union to bother with such frameworks/laws.

    Thanks America for your NSA being so diligent in trying to keep the world safe from evil family photos and spreadsheets.

Join the discussion!